Community discussions

Search found 48 matches

by moep
Tue Apr 16, 2019 11:29 am
Forum: General
Topic: IKEv2 Dual WAN Setup not possible? (2:1 relation) [SOLVED]
Replies: 18
Views: 975

Re: IKEv2 Dual WAN Setup not possible? (2:1 relation) [SOLVED]

Please try disabling "Send INITIAL_CONTACT" (send-initial-contact) option on both peers.
wow that... I am amazed... worked. It is running.
May I ask why this solved the problem?

I only had initial contact on responder side -> disabled -> worked
by moep
Tue Apr 16, 2019 10:54 am
Forum: General
Topic: IKEv2 Dual WAN Setup not possible? (2:1 relation) [SOLVED]
Replies: 18
Views: 975

Re: IKEv2 Dual WAN Setup not possible? (2:1 relation) [SOLVED]

@gotsprings nah I don't want to involve third parties and could easily make this with systems myself. but I want a real end to end connectivity. @sindy today I tried to set up identities on both sides with unique certificate and unique ID (user fqdn matching the SAN in certificate) I even imported b...
by moep
Mon Apr 15, 2019 7:37 am
Forum: General
Topic: IKEv2 Dual WAN Setup not possible? (2:1 relation) [SOLVED]
Replies: 18
Views: 975

Re: IKEv2 Dual WAN Setup not possible? (2:1 relation) [SOLVED]

@sindy as both methods are not supported anymore for IKEv2 in 6.44 this is going to be a problem (also for you I think) in the future. Every attempt was unsuccessful to make it work. I will try to debug that. @gotsprings yeah it would be great if routeros had something like mesh tunneling or "SD-VPN...
by moep
Sun Apr 14, 2019 11:19 pm
Forum: General
Topic: IKEv2 Dual WAN Setup not possible? (2:1 relation) [SOLVED]
Replies: 18
Views: 975

Re: IKEv2 Dual WAN Setup not possible? (2:1 relation) [SOLVED]

yes I did exactly this. initiator had one particular cert per peer id.
setting was user fqdn on id too.
only responder had single cert -> this could also be the problem I think.
but this did not solve the problem.
running version 6.44
by moep
Sun Apr 14, 2019 11:01 pm
Forum: General
Topic: IKEv2 Dual WAN Setup not possible? (2:1 relation) [SOLVED]
Replies: 18
Views: 975

Re: IKEv2 Dual WAN Setup not possible? (2:1 relation) [SOLVED]

I did exactly this. one specific cert per peer on initiator, but did not change anything.
by moep
Sun Apr 14, 2019 10:34 pm
Forum: General
Topic: IKEv2 Dual WAN Setup not possible? (2:1 relation) [SOLVED]
Replies: 18
Views: 975

Re: IKEv2 Dual WAN Setup not possible? (2:1 relation) [SOLVED]

I use rsa-signatures.
I initially tried xauth, but at that time it said that xauth is not support with ikev2. that may have changed.

Edit:
apparently it has not changed. I am unable to set rsa signature hybrid or psk yauth on the ikev2 peer
by moep
Sun Apr 14, 2019 10:23 pm
Forum: General
Topic: IKEv2 Dual WAN Setup not possible? (2:1 relation) [SOLVED]
Replies: 18
Views: 975

Re: IKEv2 Dual WAN Setup not possible? (2:1 relation) [SOLVED]

originally I had two peers, each handling one of the wan addresses.
I tried single peer setup (with identity check and then apply policy templates accordingly) but this did not change anything.
by moep
Sat Apr 13, 2019 10:35 pm
Forum: General
Topic: IKEv2 Dual WAN Setup not possible? (2:1 relation) [SOLVED]
Replies: 18
Views: 975

IKEv2 Dual WAN Setup not possible? (2:1 relation) [SOLVED]

Is it currently possible to get 2:1 relationships working? There is a central site with dual wan (not failover). Every remote site has only one wan. When I try to make a tunnel (as foundation for upperlevel ipip tunnel) is works only when I make a connection to only one central wan peer. If i enable...
by moep
Tue Mar 27, 2018 7:08 am
Forum: RouterBOARD hardware
Topic: CRS317 fanless operation question
Replies: 2
Views: 553

Re: CRS317 fanless operation question

Thank you for your answer.
Thats a shame, I also would have liked this device if it would perform fanless most of the time.
Perhaps someone vom MikroTik can explain, if there are upcoming changes to enable our request :D
by moep
Mon Mar 26, 2018 8:36 pm
Forum: RouterBOARD hardware
Topic: CRS317 fanless operation question
Replies: 2
Views: 553

CRS317 fanless operation question

Hello, in the product description, it says The unit has dual redundant power supplies and passive cooling case, so it’s completely silent - for hot environments two redundant fans will automatically keep the system cool if needed. . At which Temperature (internal?, Ambient?) will these fans be turne...
by moep
Sun Feb 18, 2018 10:51 pm
Forum: General
Topic: IPSec mode-config site to site problem
Replies: 0
Views: 255

IPSec mode-config site to site problem

Hello, reading the changelogs I found out, that currently Phase1 is killed and not rekeyed if mode-config is used from changelogs of 6.40: *) ike1 - kill phase1 instead of rekey if "mode-config" is used; this is bad when you use mode-config for site-to-site tunnels like I do, as it is torn down for ...
by moep
Tue Jan 02, 2018 2:22 pm
Forum: Announcements
Topic: v6.41 [current]
Replies: 304
Views: 76612

Re: v6.41 [current] IKEv2 vs IKEv1 Problem

Hello, I run multiple IPSec Tunnels from two central sites to remote sites. Inside of the IPSec-tunnel is a IPIP-tunnel to do OSPF via multiple paths. With v6.41 I tried to switch over the peers to a new IKEv2 enabled peer. On the main site, I copied the 0.0.0.0/0 peer and changed the exchange mode ...
by moep
Tue May 09, 2017 9:40 pm
Forum: Wireless Networking
Topic: Huawei E3372 (non-Hi-Link) Reboot Problem
Replies: 4
Views: 1852

Re: Huawei E3372 (non-Hi-Link) Reboot Problem

done
awaiting reply :)
by moep
Tue May 09, 2017 8:26 pm
Forum: Wireless Networking
Topic: Huawei E3372 (non-Hi-Link) Reboot Problem
Replies: 4
Views: 1852

Re: Huawei E3372 (non-Hi-Link) Reboot Problem

please contact support@mikrotik.com with a support output file from working state in v6.39.1 and then another file after reboot where it doesn't work.
will do
by moep
Tue May 09, 2017 12:53 am
Forum: Announcements
Topic: v6.39.1 [current]
Replies: 158
Views: 36416

Re: v6.39.1 [current]

As I already posted in here viewtopic.php?f=7&t=121431 LTE USB Stick rebooting is broken in v6.39.x
In v6.38.5 rebooting with LTE USB Stick is possible and the ppp interface is reconnecting as expected.

Please fix it :)
by moep
Tue May 09, 2017 12:45 am
Forum: Wireless Networking
Topic: Huawei E3372 (non-Hi-Link) Reboot Problem
Replies: 4
Views: 1852

Huawei E3372 (non-Hi-Link) Reboot Problem

I have massive problems with Huawei E3372-153 LTE-USB-Sticks in non-Hi-Link Mode (they are ppp interfaces). When the router is rebootet the ppp interface does not come up anymore. What does not solve the problem: - another reboot - USB power reset of modem (will it be 1 second, 5 seconds, 60 seconds...
by moep
Fri May 05, 2017 2:14 pm
Forum: Announcements
Topic: v6.39.1 [current]
Replies: 158
Views: 36416

Re: v6.39.1 [current]

still having DFS problems with hAP ac on 6.39.1 on 6.38.5 everything was fine. every day there is radar detected and the AP switches channels until it gets to a non DFS channel (5180). it makes no difference if I change antenna gain or the "start channel" to another one (usally 5500 ist default, tes...
by moep
Tue May 02, 2017 10:05 pm
Forum: Announcements
Topic: v6.39 [current]
Replies: 89
Views: 33400

Re: v6.39 [current]

HAP ac lite - After update I can't create SMB share on external drive (usb). Can somebody confirm that?
can confirm with hEX and attached 1 TB USB SSD
also the exisiting shares are inaccessible!

please fix it :)
by moep
Thu Apr 06, 2017 4:03 pm
Forum: Announcements
Topic: v6.39rc [release candidate] is released
Replies: 391
Views: 81559

Re: v6.39rc [release candidate] is released

First of all: I had the problems with version 6.39rc60 not rc62. I now upgraded to rc62 and will check again. the problem occured mainly in the middle of the day when I am not there or in the middle of the night, so I have no clue which device it could have been. there is no iPhone 6s present. the ...
by moep
Wed Apr 05, 2017 4:50 pm
Forum: Announcements
Topic: v6.39rc [release candidate] is released
Replies: 391
Views: 81559

Re: v6.39rc [release candidate] is released

still not fixed in 6.39rc62 :( Hello, *) wireless - fixed false positive DFS radar detection caused by iPhone 6s devices; this problem still persists with version 6.39rc58 please fix it is also not necessarily related to iphone 6s devices but occurs randomly (could be that a 6s is walking by, but t...
by moep
Tue Apr 04, 2017 6:57 pm
Forum: Announcements
Topic: v6.39rc [release candidate] is released
Replies: 391
Views: 81559

Re: v6.39rc [release candidate] is released

still not fixed in 6.39rc62 :( Hello, *) wireless - fixed false positive DFS radar detection caused by iPhone 6s devices; this problem still persists with version 6.39rc58 please fix it is also not necessarily related to iphone 6s devices but occurs randomly (could be that a 6s is walking by, but th...
by moep
Wed Mar 29, 2017 3:39 pm
Forum: Announcements
Topic: v6.39rc [release candidate] is released
Replies: 391
Views: 81559

Re: v6.39rc [release candidate] is released

Hello,

*) wireless - fixed false positive DFS radar detection caused by iPhone 6s devices;

this problem still persists with version 6.39rc58

please fix

it is also not necessarily related to iphone 6s devices but occurs randomly (could be that a 6s is walking by, but thats just guessing)

Thank you
by moep
Fri Feb 03, 2017 8:09 am
Forum: Announcements
Topic: v6.38.1 [current]
Replies: 73
Views: 23820

Re: v6.38.1 [current]

every time responder size changes its IP adress and reconnect before the old dynamic policy is flushed, there is an invalid policy Do you have DPD enabled? yes, Interval 5 max. failures 3. but it does not do anything. the old policy ist still there after 15 seconds and even after several minutes an...
by moep
Tue Jan 31, 2017 7:44 am
Forum: Announcements
Topic: v6.38.1 [current]
Replies: 73
Views: 23820

Re: v6.38.1 [current]

every time responder size changes its IP adress and reconnect before the old dynamic policy is flushed, there is an invalid policy Do you have DPD enabled? yes, Interval 5 max. failures 3. but it does not do anything. the old policy ist still there after 15 seconds and even after several minutes an...
by moep
Sat Jan 28, 2017 4:48 pm
Forum: Announcements
Topic: v6.38.1 [current]
Replies: 73
Views: 23820

Re: v6.38.1 [current]

is there an update on the IPsec issue (see some posts above)?

every time responder size changes its IP adress and reconnect before the old dynamic policy is flushed, there is an invalid policy which prevent any communication.
by moep
Thu Jan 19, 2017 4:23 pm
Forum: Announcements
Topic: v6.38.1 [current]
Replies: 73
Views: 23820

Re: v6.38.1 [current]

There is (still) an IPsec issue: when I reconnect with initiator too fast the dynamic policy on responder is not purged, there is also a corrsponding SA left with no timeout values. On responder side everything looks fine IPsec-wise but IPIP-Tunnel never comes online. This situation can only be solv...
by moep
Sat Jan 14, 2017 12:09 am
Forum: General
Topic: CCR Single Stream TCP through Tunnel very slow (355KB/s)
Replies: 4
Views: 1247

SOLVED(temporarily): CCR Single Stream TCP through Tunnel very slow (355KB/s)

1. Due to single TCP stream my question is what is the ping delay between sites? The delay is normal at around 50ms 2. Search forum on "CCR reordering packets problem" and change from hardware coded encryption (CBC) to the software one (for example CTR or Camelia) :) (there are no more solutions kn...
by moep
Thu Jan 12, 2017 7:44 am
Forum: Announcements
Topic: v6.38 [current] is released!
Replies: 168
Views: 36765

Re: v6.38 [current] is released!

I might have found some other IPsec related bugs: 1. sometimes the new "PH states" are not correct, traffic is flowing but there is "no PH2" or "ready to send" which often only reverts after phase1 rekey or new phase2 2. if the initiator is reconnecting too fast e.g. after PPPoE 24 hour reconnect a...
by moep
Tue Jan 10, 2017 8:01 am
Forum: Announcements
Topic: v6.38 [current] is released!
Replies: 168
Views: 36765

Re: v6.38 [current] is released!

I might have found some other IPsec related bugs: 1. sometimes the new "PH states" are not correct, traffic is flowing but there is "no PH2" or "ready to send" which often only reverts after phase1 rekey or new phase2 2. if the initiator is reconnecting too fast e.g. after PPPoE 24 hour reconnect an...
by moep
Fri Jan 06, 2017 3:21 pm
Forum: Announcements
Topic: v6.38 [current] is released!
Replies: 168
Views: 36765

Re: v6.38 [current] is released!

i did another reboot of the device now the time stays correct and the other router syncs with this NTP server i hope it stays that way :) a periodic "restart" of ntp (disable+delay+enable) solves the problem at the moment for about 5 minutes as the clock deviates again devices that are using this nt...
by moep
Fri Jan 06, 2017 11:19 am
Forum: Announcements
Topic: v6.38 [current] is released!
Replies: 168
Views: 36765

Re: v6.38 [current] is released!

thats odd that it is working in your environment but it was already odd that the 2011 was the only device in the network with this problem. a periodic "restart" of ntp (disable+delay+enable) solves the problem at the moment for about 5 minutes as the clock deviates again devices that are using this ...
by moep
Fri Jan 06, 2017 10:40 am
Forum: Announcements
Topic: v6.38 [current] is released!
Replies: 168
Views: 36765

Re: v6.38 [current] is released!

are you using the separate NTP Package or integrated SNTP-Client? RB2011 with NTP-Package is losing the correct time while displaying "synchronized" after a while, it does not matter if I enter another routerboard or official NTP-Servers. (Standard System-SNTP not tested, as I need the NTP-Server po...
by moep
Fri Jan 06, 2017 7:59 am
Forum: Announcements
Topic: v6.38 [current] is released!
Replies: 168
Views: 36765

Re: v6.38 [current] is released!

I found several other bugs: RB2011 with NTP-Package is losing the correct time while displaying "synchronized" after a while, it does not matter if I enter another routerboard or official NTP-Servers. (Standard System-SNTP not tested, as I need the NTP-Server portion) IPsec xAuth with Mode Config (R...
by moep
Thu Jan 05, 2017 3:22 pm
Forum: Announcements
Topic: v6.38 [current] is released!
Replies: 168
Views: 36765

Re: v6.38 [current] is released!

It was not fixed for my situation, when the main site was 6.38 and the clients were still 6.37.3. It was "fixed" by upgrading every router to 6.38 which was not planned this day. This still means that IPsec with xAuth and a password longer than 31 Chars is treated differently in ROS 6.37.3 than in 6...
by moep
Tue Jan 03, 2017 10:12 pm
Forum: Announcements
Topic: v6.38 [current] is released!
Replies: 168
Views: 36765

Re: v6.38 [current] is released!

First of all happy new year and nice work on overall ipsec improvements. But the password length is still capped to 31 characters, which creates incompatibility to previous versions with long xauth passwords i wrote this here: http://forum.mikrotik.com/viewtopic.php?f=21&t=112844&p=573186#p573186 pl...
by moep
Mon Jan 02, 2017 8:15 pm
Forum: Announcements
Topic: v6.38 [current] is released!
Replies: 168
Views: 36765

Re: The Dude, v6.38 [current] release.

First of all happy new year and nice work on overall ipsec improvements. But the password length is still capped to 31 characters, which creates incompatibility to previous versions with long xauth passwords i wrote this here: http://forum.mikrotik.com/viewtopic.php?f=21&t=112844&p=573186#p573186 pl...
by moep
Sat Dec 17, 2016 11:40 pm
Forum: Announcements
Topic: v6.38rc [release candidate] is released
Replies: 331
Views: 74628

Re: v6.38rc [release candidate] is released

IPsec with xAuth seems to be broken with v6.38rc49 as responder and v6.37.3 as initiator CCR is responder and several other routerboards (RB3011, RB750Gr3, RB951G, hAPac lite, etc.) are initators. When I upgrade the CCR to the RC the initators cannot log on anymore with "xauth login failed for xyz" ...
by moep
Sat Dec 17, 2016 7:37 pm
Forum: General
Topic: CCR Single Stream TCP through Tunnel very slow (355KB/s)
Replies: 4
Views: 1247

Re: CCR Single Stream TCP through Tunnel very slow (355KB/s)

the other end is RB3011
i tried to disable hardware accleerated ciphers (switched to AES-CTR) but nothing changed
i even swtched back again to ovpn but single stream performance is still abysmal :(
by moep
Wed Dec 14, 2016 8:32 pm
Forum: General
Topic: CCR Single Stream TCP through Tunnel very slow (355KB/s)
Replies: 4
Views: 1247

CCR Single Stream TCP through Tunnel very slow (355KB/s)

Hello everyone, I have a problem regarding CCR tunnel (upload) speeds. I have a dual wan setup. wan1 is 10Mbit/s up and 50Mbit/s down wan2 is 25Mbit/s up and 200Mbit/s down there is remote site connected with two ipsec tunnels to the main site (one to wan1 and one to wan2) inside these tunnels there...
by moep
Sun Nov 20, 2016 1:47 am
Forum: General
Topic: ipsec xauth mode-config unreliable
Replies: 1
Views: 727

Re: ipsec xauth mode-config unreliable

+1 same Problem here sometimes it drops the dynamic configuration without notice. only "kill-connections" will get the dynamic policy and mode-config IP on remote online again. Please fix this problem, as it is very annoying if there are plenty of remote sides, which will all be disconnected with "k...
by moep
Sun Aug 21, 2016 2:08 pm
Forum: Announcements
Topic: v6.36 [current] is released!
Replies: 183
Views: 41632

Re: v6.36 [current] is released!

Seems that mark routing is failing since 6.36   and only traffic from main wan is working. If you disable fasttrack rule all works fine. Same configuration works fine with 6.35.x I am having a similar problem with 6.36 on CCR. Previous Version was 6.35.2. I had a fasttrack rule for WAN1 (PPPoE-Clie...
by moep
Wed Jan 27, 2016 8:30 pm
Forum: General
Topic: is it possible to create a custom IPSec default peer template?
Replies: 1
Views: 511

is it possible to create a custom IPSec default peer template?

Hello, is it possible to create a peer template that is used everytime I connect via the L2TP transport tunnel? Via the "auto IPSec" fuction the peer generated is quite useless: The upper peer is what I want to have, the lower one is generated everytime the l2tp tunnel is brought up. I cannot enter ...
by moep
Wed Jan 20, 2016 8:07 pm
Forum: RouterBOARD hardware
Topic: RB3011: System clock looses seconds and NTP not working
Replies: 11
Views: 3040

Re: RB3011: System clock looses seconds and NTP not working

same here with 6.33.5 on RB3011
but not with other devices, only with "arm" (tested against tile, ppc, mips-be and smips)

workaround script:
/system ntp client set enabled=no
/system ntp client set enabled=yes
by moep
Sun Aug 16, 2015 1:10 am
Forum: Announcements
Topic: 6.31 released
Replies: 227
Views: 47204

Re: 6.31 released

working fine on several devices (CCR, CRS, Groove, 951G, 751G, hap-lite) one common issue /system shutdown via Winbox and/or console, ssh, telnet is not working anymore The device does make a reboot instead. This issue is found on the platforms mips-be and smips (tilera not tested but likely also af...
by moep
Wed Jul 08, 2015 8:15 pm
Forum: Announcements
Topic: 6.30 released
Replies: 180
Views: 42051

Re: 6.30 released

I just upgrades my CCR1009-PC I now have problems on my bonding interface. Its configured for active-backup. ether8 is master and ether7 is slave. If you disconnect the ethernet cable from ether8 you get an instant reboot with the following lines in the log/terminal: System rebooted because of kerne...
by moep
Wed Jun 24, 2015 9:24 pm
Forum: General
Topic: Open VPN TLS or SSL?
Replies: 0
Views: 755

Open VPN TLS or SSL?

Hello, can anybody answer the question, if the currently used implementation of OpenVPN on RouterOS is using TLS(1.0, 1.1, 1.2) or SSL? I am currently using v6.27 on all my devices in the network. Does this change with newer versions? Further explanation: As the newer Client Versions default to TLS ...
by moep
Sun Jul 08, 2012 5:55 pm
Forum: General
Topic: RB1100AH and VDSL2 24h reconnect problem
Replies: 2
Views: 1169

Re: RB1100AH and VDSL2 24h reconnect problem

Hello and Thank you for your answer,

the problem is not DynDNS related. Once the connetion goes up it updates the IP and everything is working.
But if I do not switch off the modem, there is no reconnect! No PPPoE connection!
It tries to connect but nothing happens until you reststart the modem.
by moep
Tue Jul 03, 2012 10:47 pm
Forum: General
Topic: RB1100AH and VDSL2 24h reconnect problem
Replies: 2
Views: 1169

RB1100AH and VDSL2 24h reconnect problem

Greetings to the Mikrotik user community, I have a recent problem with my central site gateway connecting 4 branch sites and one secondary site via IPSEC and fallback OVPN tunnels with BGP routing. The main site has 2 VDSL2 connections, one of them has a ip subnet configured while the other one has ...